How to configure L2TP IPSec VPN using ISA Server

If you have roaming users who want to access internal/private network but you don’t want to spend money at all. Your existing infrastructure consist of Microsoft AD, DNS, DHCP and ISA as firewall. Same as the picture below. Well, you don’t need to spend money to accomplish this objective. It’s few mouse click away.

Figure: Microsoft ISA Edge Firewall, source: Microsoft Corp.

As I mention above, you need MS AD, DNS, DHCP, Active Directory Certificate Services and ISA server. If you don’t have certificate server, you can vertualize it following this instruction. Now you have to do following steps:

1. Check DNS, DHCP and AD connectivity in ISA server, make sure it is functioning properly.
2. Check/ping public IP configured in one of the NICs in ISA server (ISA got at least two NICs, internal-private IP and external-public IP)
3. Create a specific group in AD and add users who want VPN access
4. Install machine/computer certificate in ISA server
5. Configure VPN in ISA server
6. Create L2TP client access policy
7. Install user and machine certificates in VPN client machine
8. Create L2TP VPN dialler in client machine and test connection

The following the screen shots will definitely be helpful for you.

ISA Management console>VPN>VPN Property

 

ISA Management Console>VPN>VPN Clients property

 

ISA management Console>Firewall Policy>Create New Access Policy

ISA Management Console>Apply.

Further Study:

Microsoft Technet

Administrator’s Guide to Microsoft L2TP/IPSec VPN Client

Keywords: ISA Server, L2TP IPSec, VPN

Service Ports: The entrance to the Programs/Application/Web on Your Systems

A port is an application or process specific software construct serving as a communications endpoint used by Transport Layer protocols of the Internet Protocol Suite such as TCP and UDP. A specific port is identified by its number, commonly known as the port number, the IP address it is associated with, and the protocol used for communication. Transport Layer protocols such as TCP and UDP specify a source and destination port number in their packet headers. A port number is a 16-bit unsigned integer ranging from 0 to 65535.

An advertised service is simply a service/application/web available over the Internet from its assigned port. If your machine isn’t offering a particular service, and someone tries to connect to the port associated with that service, nothing will happen. Someone is knocking on the door, but no one lives there to answer. For example, HTTP is assigned to port 80 though, again, there’s no reason why you couldn’t run it on port 8080 or any available port. If your machine isn’t running an HTTP-based web server and someone tries to connect to port 80, the client program receives a connection shutdown message as an error message from your machine indicating that the service isn’t offered.

By historical convention, major network services are assigned well-known, or famous, port numbers in the lower range from 1 to 1023. These port numbers to service mappings are coordinated by the Internet Assigned Numbers Authority (IANA) as a set of universally agreed-on conventions or standards.

The higher port numbers from 1024 to 65535 are called unprivileged ports. They serve a dual purpose. For the most part, these ports are dynamically assigned to the client end of a connection. The combination of client and server port number pairs, along with their respective IP host addresses, and the Transport protocol used, uniquely identifies the connection. Additionally, ports in the 1024 through 49151 ranges are registered with the IANA. These ports can be used as part of the general unprivileged pool, but they are also associated with particular services such as SOCKS or X Window servers. There are also ports registered to the specific computer vendor or manufacturer for specific purposes. Very Common officially used Port numbers are:

Port Name	Port Number	Description
FTP	21/TCP	command
FTP	20/TCP	Documents
SMTP	25/TCP	Mail
POP3	110/TCP	pop-3
IMAP	143/TCP & UDP	Internet Message Access Protocol
Telnet	23/TCP
SSH	22/TCP	Secure Shell
LDAP	389/TCP & UDP
HTTP	80/TCP	WWW, WWW-HTTP
HTTP Alt	8080/TCP
HTTPS	443/TCP	Secure WWW
VMware Console	901, 902 TCP & UDP
VMware Server Management	8222, 8333
DNS	42/TCP & UDP	Name Server
DNS Service	53/TCP & UDP
DHCP Server	67/UDP
DHCP Client	68/UDP
WINS	1512/TCP & UDP	Windows Internet Name Service
NTP	123/UDP
NNTP	119/TCP	Network News Transfer Protocol
AUTH	113/TCP	authentication
FINGER	79/TCP
Nick name	43/TCP	Whois
MTP	57/TCP	Mail transfer
Gopher Protocol	70/TCP
Kerberos Authentication	88/TCP & UDP
RPC	135/TCP & UDP
Netbios	137-139 TCP & UDP	NETBIOS Name Service
SNMP	161/TCP & UDP	Simple Network Management Protocol
RPC	135 & 530/TCP & UDP
IPSec	1293/TCP,UDP
MSSQL database Server	1433/TCP	MS SQL
MSSQL database Monitor	1434/UDP	MS SQL
Radius Server	1812,1645/TCP,UDP1813, 1646/TCP & UDP	AuthenticationAccounting
NFS	2049/UDP	Network File Systems
RDP	3389/TCP	Remote Desktop Protocol
YAHOO! Messenger	5050/TCP
AOL Messenger	5190/TCP
Windows Live Messenger	6891–6900/TCP,UDP
VNC	5800/TCP, 5500/TCP
EMC Clarion	6389/TCP
L2TP	1701/TCP & UDP	Layer Two Tunnelling Protocol
PPTP	1723/TCP & UDP	Point to Point Tunnelling Protocol
AD Windows Share SMB	445/TCP & UDP	Windows Share
SCOM, MOM	1270/TCP & UDP	Microsoft Operations Manager

Further Study:

Internet Corporation for Assigned Names and Numbers

Microsoft Documentation for well known Port

Keywords: TCP, UDP, Ports, IANA